System for remotely-operated systems

ABSTRACT

The invention relates to a remote-controlled system comprising:—at least one ground interface ( 3 ), from which an operator can control a remote-controlled vehicle;—at least one mission unit ( 7, 8 ) in said vehicle; and—a data link between said interface ( 3 ) and said mission unit ( 7, 8 ). Said system is characterized in that it comprises, on the ground and in the vehicle, security monitoring systems ( 6, 10 ) suitable for approving and/or authenticating critical data and/or commands exchanged between the ground and the vehicle and also suitable for verifying the integrity of said data. It is thus possible to use, on the ground as on board the vehicle, interfaces and units with a low level of criticality at the same time as interfaces and units with the highest level of criticality.

The present invention relates to remotely-operated systems such asairborne or earth-borne drones.

Remotely-operated systems are equipped with data links which are eitherinternal data links that the remote-operator totally controls, or datalinks which are external relatively to the remote-operator (SATCOM forexample).

In the case of an external data link, the integrity of the link is notcontrolled.

To date, only the use of an internal data link gives the remote-operatorthe possibility of guaranteeing the integrity of the informationtransmitted to the remotely-operated vehicle and of certifying the wholeof the system.

This certification nevertheless requires the deployment of significantmeans and may prove to be of a prohibitive cost.

In particular, the remotely-operated systems are called to fulfill theirmission in an increasingly automated way by resorting to potentiallyhighly scalable navigation algorithms not necessarily deterministic (orfor which convergence will not be able to be demonstrated) based onmulti-sensor information.

As for the ground operator interfaces, they are complex and potentiallyheterogeneous (in the majority of cases, these interfaces/supportscannot be certified).

A general purpose of the invention is to solve these problems and topropose an architecture allowing certification of the monitoring andcontrol chain at a low cost.

In particular, the remote-operator which has the actual control of theoperated vehicle has to check the safety parameters of the flight and inparticular

-   -   have the control of the trajectory of the vehicle (not leaving        the area thereof),    -   have the control of the fallout area in the case of an engine        failure or of a “crash” (of course any uncontrolled “crash”        should be avoided in order not to risk any accidents on the        forbidden areas such as highly populated areas and allowing, in        the case of difficulties, optimization of a landing on more        favorable areas should be allowed),    -   permanently monitoring the condition of the different        sub-assemblies involved in the safety of the flight (energy,        motorization, control links, navigation, . . . ).

GENERAL PRESENTATION OF THE INVENTION

For this purpose, the invention proposes a remotely-operated systemincluding:

-   -   at least one interface on the ground from which an operator may        control a remotely-operated vehicle,    -   at least one mission assembly in said vehicle,    -   a data link between said interface and said mission assembly,    -   characterized in that it includes on the ground and in the        vehicle safety checking systems adapted for signing and/or        authenticating critical data and/or commands exchanged between        the ground and the vehicle, and/or for checking the integrity of        these data, and in that one of the safety checking systems in        the vehicle is adapted for checking whether the        remotely-operated vehicle is maintained in a safety coverage        predefined by the ground and for triggering a predetermined        action when this is not the case.

The authentication and the signature of the data give the possibility ofproviding the remote-operator with means for guaranteeing the receivedcommands on-board and the information used for making a decision(airplane position, condition of the critical sub-assemblies).

Checking the integrity gives the possibility of guaranteeing that theorders emitted by the remote-operator, like the pieces of informationwhich he/she receives, have not been modified by the transmission chain.

Thus, it is possible to use both on the ground and on-board the vehicle,interfaces and mission assemblies with a low criticality level, at thesame time as mission interfaces and assemblies with a higher criticalitylevel.

In a possible alternative of the invention, an independent safety datalink chain is provided in order to allow triggering of a predeterminedsafety action from the ground.

Still in another alternative, the safety checking system of the vehicleis adapted for receiving a series of simple orders from the air trafficcontrol.

PRESENTATION OF THE FIGURES

Other features and advantages of the invention will further emerge fromthe description which follows, which is purely illustrative andnon-limiting, and should be read with reference to the appended figureswherein:

FIG. 1 illustrates a block diagram of a possible application of theinvention;

FIGS. 2 and 3 illustrate two other possible embodiments of theinvention.

DESCRIPTION OF ONE OR SEVERAL EMBODIMENTS

The architecture illustrated in FIG. 1 includes a ground part 1 and apart 2 on the remotely-operated vehicle.

On the ground, the architecture comprises at least one interface 3 fromwhich an operator may control the remotely-operated vehicle, aconcentrator 4 giving the possibility of ensuring the data link with thevehicle, as well as an interface 5 which is of a higher criticalitylevel (DAL or “Development Assurance Level”) than the interface 3 andthe concentrator 4.

A safety control system 6 is provided on the ground. This system is alsoof a high criticality level and has the following functions:

-   -   it signs the critical commands emitted by either one of the        interfaces 3 and 5 intended for on-board the vehicle (ciphering        application);    -   it checks the integrity of the state data regularly received        from on-board (position, status of the piece of equipment,        etc.). The checking of integrity is accomplished both spatially        and temporally. The condition received from on-board is then        classified by the system according to three states: functional,        degraded, non-functional;    -   it checks the consistency between the command emitted towards        on-board and the command return which is transmitted from        on-board by the critical assembly of the latter;    -   it regularly transmits on-board requests for authentication        (application of a challenge function);    -   it copies the instructions emitted by the mission interface 5        intended for on-board in order to control the latter (short        safety loop).

A similar architecture is also provided on-board the vehicle. The latterintegrates for this purpose one or several mission assemblies 7 of a lowcriticality level, one or several mission assemblies 8 with a highcriticality level, a concentrator 9 giving the possibility of ensuringthe link with the ground, and a safety system 10.

This safety checking system 10 is also with a high criticality level andapplies the following controls:

-   -   it broadcasts towards the critical assembly 8 the command from        the ground after decoding;    -   it checks the integrity of this command before its broadcasting        towards the critical assembly 8;    -   it regularly emits authentication requests (challenge) intended        for the interfaces 3 and 5 on the ground;    -   it checks the time validity of the commands from the ground        (ageing);    -   it emits to the ground acknowledgments of instructions from the        remotely-operated critical assembly 8;    -   it signs the controls and statuses issued from the        remotely-operated critical assembly 8.

It will be noted here that the components and the algorithms signing thecommands from the ground and signing the controls from on-board areidentical.

Highly secured keys and robust mathematical algorithms are used forensuring that the probability of receiving erroneous orders/stateswithout being able to detect them is very low (less than a levelequivalent to the function which it serves).

The casings of the different processing units used have an accurateinternal clock reset on a same time base. The clock of these casings isselected to be robust towards loss of reference.

Moreover, the safety system 10 of the vehicle is capable of checkingwhether the vehicle is maintained in a safety coverage(three-dimensional area, critical status . . . ) predefined by theground.

The remotely-operated vehicle comprises a navigation system, including asatellite positioning receiver (for example of the GPS type), and aninertial central unit.

The remotely-operated vehicle also comprises a configured processingmodule for determining, from position signals generated by thenavigation system and by the inertial central unit, instantaneousposition data of the vehicle. The position data of the vehicle includedata representative of the instantaneous space coordinates of thevehicle (latitude, longitude and altitude), as well as possibly aprotective radius. The protective radius defines a volume around theposition defined by the instantaneous coordinates, in which the vehicleis found, taking into account uncertainties related to the measurement.

The position data of the vehicle are transmitted by the processingmodule to the safety checking system 10.

The safety checking system 10 compares the position data which itreceives from the processing module with data representative of thedefined safety coverage and transmitted by the ground.

In the case when the commands from on-board or the states of thecritical sub-assembly 8 are not compliant with this safety coverage, thesystem 10 triggers a predetermined action (isolation of the outercommands and/or applications of safety rules, for example).

The data representative of the safety coverage may comprise ranges oflatitude, longitude and altitude, in which the remotely-operated vehiclehas to be positioned.

According to a first possibility, the protective radius is calculated bythe processing module located on-board the vehicle.

In this case, the protective radius is transmitted by the processingmodule to the safety checking system 10 on-board the vehicle with theposition data.

The position data, including the protective radius, are transmitted bythe safety checking system 10 located on-board to the safety checkingsystem 6 located on the ground.

In return, the safety checking system 6 located on the ground transmitsto the safety checking system 10 located on-board, the datarepresentative of the safety coverage, in order to allow the safetychecking system 10 located on-board to check whether theremote-controlled vehicle is maintained in the safety coverage.

The safety coverage may be determined on the ground from position datatransmitted by the safety checking system 10 located on-board. Theposition data of the vehicle and the representative data of the safetycoverage exchanged between the ground and the vehicle are signed by theemitter control system and authenticated by the receiver control system.

According to a second possibility, the protective radius is calculatedby a processing module located on the ground.

This second possibility may in particular be useful if the calculationof the protective radius has to take into account the fact that one ortwo GNSS satellites may have failed. This calculation requires the useof a complex processing system, including a large filter bank which mayadvantageously be moved to the ground, wherein the available means donot have the same limitations as those on-board the vehicle and whichmay allow the processing of several vehicles at a time.

In this case, the space coordinates of the vehicle are transmitted bythe safety checking system 10 located on-board to the safety checkingsystem 6 located on the ground.

The processing module located on the ground calculates the protectiveradius depending on the instantaneous space coordinates of the vehicle(latitude, longitude and altitude, GNSS distance data to the differentvisible satellites), as well as the representative data of theprotective coverage.

The safety checking system 6 located on the ground transmits to thesafety checking system 10 located on-board, the representative data ofthe protective radius and of the safety coverage, in order to allow thesafety checking system 10 located on-board to check whether theremote-controlled vehicle is maintained in the safety coverage.

The position data of the vehicle and the representative data of theprotective radius and of the safety coverage exchanged between theground and the vehicle are signed by the emitter control system andauthenticated by the receiver control system.

In still another alternative (FIG. 2—dedicated emergency chain of thesystem), the system 10 is capable of receiving a simple order (discretetype from a chain 11 for linking independent safety data). In this case,the system triggers a predetermined action (e.g.: isolation of the outercommands and/or applications of safety rules).

Also in a third alternative (FIG. 3—control taken by the air trafficcontrol), in the case of a loss of control (either involuntary orvoluntary), of the control station, the safety system of the vehicle iscapable of receiving a series of simple orders from the air trafficcontrol (station ATC 13) via a “VHF” link (station 12).

The authenticity of these commands is checked by a signature mechanismon the basis of keys exchanged between the ATC and the remote-operatorbeforehand.

1. A remotely-operated system including: at least one interface on theground from which an operator may control a remotely-operated vehicle,one second interface on the ground having a higher criticality levelthan the first interface on the ground, at least one mission assembly insaid vehicle, a data link between said interface and said missionassembly, the system including on the ground and in the vehicle safetychecking systems adapted for signing and/or authenticating critical dataand/or commands exchanged between the ground and the vehicle, and/or forchecking the integrity of these data, the safety checking system on theground being adapted for checking the consistency between the emittedcommand data intended for on-board the vehicle and a command returnwhich is transmitted from on-board the vehicle by a remotely operatedcritical assembly and one of the safety checking systems in the vehicleis adapted for checking whether the remotely-operated vehicle ismaintained in a safety coverage predefined by the ground and fortriggering a predetermined action when this is not the case.
 2. Thesystem according to claim 1, wherein the safety checking system on theground is adapted for signing the critical commands emitted by eitherone of the interfaces intended for on-board the vehicle and for checkingthe integrity of the state data received from on-board.
 3. (canceled) 4.The system according to claim 1, wherein the safety checking system onthe ground is adapted for copying and controlling emitted command dataintended for on-board by a mission operator interface of highcriticality.
 5. The system according to claim 1, wherein the safetychecking system on-board the vehicle is adapted for authenticating thecommand data intended for a remotely-operated assembly of highcriticality on-board the vehicle and for checking their integrity. 6.The system according to claim 1, wherein the safety checking systemon-board the vehicle is adapted for checking the temporal validity ofthe commands from the ground.
 7. The system according to claim 1,wherein the safety checking system on-board the vehicle is adapted foremitting to the ground acknowledgments of instructions from a criticalassembly on-board the remotely-operated vehicle.
 8. The system accordingto claim 1, wherein the safety checking system on-board the vehicle isadapted for signing the controls and statuses issued from a criticalassembly on-board the remotely-operated vehicle.
 9. The system accordingto claim 1, wherein a safety checking system on the ground (respectivelyon-board the vehicle) is adapted for regularly transmitting to on-board(respectively to the ground) authentication requests.
 10. The systemaccording to claim 1, wherein it further includes an independent safetydata link chain in order to allow triggering of a predetermined safetyaction from the ground.
 11. The system according to claim 1, wherein thesafety checking system of the vehicle is adapted for receiving a seriesof simple orders from the air traffic control.